As digital transformation takes hold, organizations must learn what their cybersecurity risks are – and how best to address them.
Cybersecurity is in the news, but the risks posed by weak and outdated security measures are hardly new. For more than two decades, organizations have struggled to keep pace with rapidly evolving attack technologies.
With the arrival in May of WannaCry, a massive and highly coordinated ransomware attack that left tens of thousands of organizations around the world hoping for the safe restoration of their data, the threat posed by malware creators took an ominous turn. The attack sent an unambiguous wake-up call to organizations worldwide that now is the time to reassess and reinforce existing cybersecurity strategies.
Connectivity Creates Opportunities and Challenges
Emerging technologies, particularly the Internet of Things (IoT), are taking global connectivity to a new level, opening fresh and compelling opportunities for both adopters and, unfortunately, attackers.
Sadik Al-Abdulla, director of security solutions for CDW, says growing connectivity has ushered in a new era of critical security threats. “The same viruses we’ve been fighting for 20 years, now those viruses grow teeth,” he adds, noting that organizations are just beginning to respond to more dangerous cybersecurity adversaries. “Suddenly, just in the last 18 months, with the explosion of ransomware, we’ve seen really substantial support from outside IT to actually start getting these projects done, because there has been real pain experienced.”
IoT poses a significant new challenge, Al-Abdulla observes. “As new devices are connected, they represent both a potential ingress point for an attacker as well as another set of devices that have to be managed,” he says. “Unfortunately, most of the world is trying to achieve the promise provided by IoT projects as rapidly as possible, and they are not including security in the original design, which creates greater weakness that is very, very hard to get back after the fact and correct.”
Al-Abdulla also notes that many organizations are unintentionally raising their security risk by neglecting routine network security tasks. “Every time our assessment team looks at the inside of a network, we find systems that haven’t been patched in 10 years,” he says. “Sometimes, it’s IoT devices.”
Al-Abdulla’s team has observed devices with “a flavor of Linux or Windows embedded” that have not been updated since they left the factory. Security cameras, badge readers, medical devices, thermostats and a variety of other connected technologies all create potential attack gateways.
“All it takes is the wrong guy to click the wrong thing in the wrong part of the network,” says Martin Roesch, vice president and chief architect of the Cisco Security Business Group. “You get mass propagation throughout the environment, and then you have a huge problem.”
“It’s a very complicated world that we live in right now, because the attacker and defense problem is highly asymmetrical,” Roesch adds.
The changing nature of networks and the devices located within them, combined with the fact that organizations keep introducing new software and hardware into their IT environments, make it nearly impossible to keep pace with a new generation of skilled attackers. “It becomes very, very difficult to respond and be effective against the kind of threat environment that we face today because the attackers are highly motivated,” he says.
The Danger of Giving in to Ransomware
Ransomware is like a thug with a gun: “Pay up, or your data gets it!”
Facing such a blunt demand, many organizations simply cave in and hand over whatever amount of money (usually in the form of bitcoin) is necessary to regain their data.
Problem solved? Not necessarily, says Michael Viscuso, co-founder and chief technology officer of endpoint security provider Carbon Black, who sees no easy way out of a ransomware attack. “It’s still surprising to me that people who have paid the ransom think that the game is over,” he says. “The reality is that the attacker has access to your system and is encrypting and decrypting your files whenever he wants to – and charging you every time.”
James Lyne, global head of security research at security technology company Sophos, notes that many ransomware attackers hide code within decrypted data, allowing them to reinfect the host at a future date. “Because if you’ll pay once, you’ll pay twice,” he explains.
Lyne also warns about the emerging threat of “shredware,” malware that encrypts data without requesting a ransom, effectively destroying it. “I bring that up because I’ve had a lot of board advisory meetings recently where people have said, ‘Well surely, we’ll just keep a fund, and if our data is encrypted, we will just pay the cybercriminals,’” he says.
Instead, organizations can take steps to defend themselves against ransomware. These steps include:
Effective backups: IT staff can save themselves trouble and money by implementing regular backup practices to an external location such as a backup service. In the event of a ransomware infection, backup data can get organizations back on their feet quickly.
User training: Most infections are the result of users clicking on links or attachments that are connected to malicious payloads. IT teams can avoid these pitfalls by training users to look out for them.
Deployment of security solutions: Measures such as anti-malware, firewalls and email filters can help detect ransomware and prevent infections.
The Human Factor
While following security best practices is essential to network security, many organizations remain unaware of or pay little attention to, the weakest link in the security chain: people.
It doesn’t make sense to try to solve what is essentially a human problem solely with technical means, says Mike Waters, director of enterprise information security for management consulting firm Booz Allen Hamilton. “We have to create an atmosphere, an environment, where people can tell us what risks they know about, and we can document them and work through it in a deliberative manner,” he adds.
Booz Allen has 25,000 people working for it, Waters says, adding, “I need 25,000 people to defend Booz Allen.” Educating users — and instilling in them just a touch of paranoia, he quips — leads to an alert organization in which users report every suspicious thing they encounter. “Ninety-nine percent of what they report is not bad, but the 1 percent that’s critical can get to us,” he says. “We reinforce that behavior — tell us everything.”
Meet the Evil Entrepreneurs
In much the same way that organizations boost their results through ambition and innovation, cybercriminals also are improving the way they operate. “The bad guys are entrepreneurial,” says Martin Roesch, vice president and chief architect of the Cisco Security Business Group.
Most successful cybercriminals are part of large and well-structured technology organizations. “There’s a team of people setting up infrastructure and hosting facilities; there’s a team of people doing vulnerability research; there’s a team of people doing extraction of data; there’s a team of people building ransomware; there’s a team of people delivering ransomware; there’s a team of people doing vulnerability assessment on the internet; there’s a team of people figuring out how to bypass spam filters,” says Michael Viscuso, co-founder and CTO of Carbon Black.
Roesch says organizations have found it “very difficult to respond and be effective against the kind of threat environment that we face today,” but says security experts within Cisco have specifically targeted cybercrime organizations and achieved some success in shutting them down.
Weighing Risk Against Benefits
Security boils down to measuring risk against anticipated benefits. “One of the fascinating things about risk is that low-level engineers know where the risks are, but they don’t necessarily tell anybody,” Waters says. As an example, he cites Operation Market Garden, a World War II Allied military effort (documented in the book and movie A Bridge Too Far) that was fatally hampered by poor radio communication. “People knew those radios weren’t going to work when they got over there,” Waters says. “They didn’t tell anybody because they didn’t want to rock the boat.”
Once a risk is identified, users and IT professionals must be committed to addressing it, with the support of executives. Across all departments and in all situations, calm person-to-person communication is always a reliable and effective security tool. “If we’re running around with our hair on fire all the time, they don’t want to talk to us,” Waters adds. “We want everybody to be able to talk with us and share their risks, so we know to prioritize and trust them.”
In a perfect world, security professionals would strive to create a risk-free environment. “We want it all down to zero,” Waters says. That’s not possible, however, because some degree of risk is inherent in every action an organization takes. “As challenging as it may seem, there are risks businesses are willing to accept,” Waters adds.
Too much caution blocks or degrades benefits, particularly when security mandates unnecessarily interfere with routine activities. Simply telling people what not to do is rarely effective, particularly if what they’re doing saves time and produces positive results. “We talk about Dropbox and things like that,” Waters says. “If your policies are too restrictive, people will find a way around them.”
Author: CDW Brandvoice
In college, I had a short-lived and hilarious dream that I could learn to play lacrosse. I suppose I was attracted to the glamour of running wind sprints for two hours while being hit with titanium poles.
Alas, the dream was not to be. When I showed up to my first pick-up game, I had no idea what a “slide” was, didn’t realize “clamping” had anything to do with face-offs and had no idea where “the box” was.
I lacked lacrosse literacy.
The problem’s the same with business intelligence software. Except, data literacy is the key factor.
If you want your employees to use the $3,000-per-license business intelligence software you bought, they need to be data literate first. Otherwise, that BI tool will be as useless as a lacrosse stick was in my hands.
Fortunately, Gartner research can help you and your team get data literate. They’ve come up with multiple strategic suggestions that you can implement at your business.
What Is Data Literacy?
Data literacy means you “speak” data the way you might speak any other foreign language.
“Gartner defines data literacy as the ability to read, write, and communicate data in context, including an understanding of data sources and constructs, analytical methods and techniques applied, and the ability to describe the use case application and resulting value.”
(Full research available to Gartner clients.)
In plain English, data literacy means you know what data you’re tracking, why you’re tracking it, how to read that data, and how to use that data to save or make money.
Data Literacy Is the Gateway to Business Intelligence
At its heart, business intelligence software is a data-wrangling program.
BI software programs organize all your data sources (website data, CRM data, email data, financial and POS data) and let you see how those data sources interact (for example, did sales increase when you changed the colors on your website?).
So, until your employees are literate with the data your business intelligence tool wrangles, they won’t know how to wrangle their business intelligence tool.
The data literate person knows what data they’re tracking, where it’s stored, and how it fits together. That’s not all they know, though.
Data literacy is also a way of thinking in terms of data. The data literate person doesn’t just think in generic terms—such as did sales increase? They think in terms of data—did Q1 website conversions among women ages 18 to 34 increase as a result of that email campaign?
It’s like learning a foreign language: You haven’t really learned that new language until you start thinking in it, as well as speaking it.
How To Teach Your Employees Data Literacy
Most employees, however, probably don’t think in terms of data, which presents you with another challenge: How do you get your employees to start thinking in terms of data?
1. Employees need to know what data literacy is
Becoming literate in any new lingo is challenging … especially when people don’t know that lingo even exists.
Chances are, most of your employees aren’t even aware that data literacy is a concept. So if you want your employees to use your BI software, you’ll have to introduce data literacy first and explain why it matters.
And don’t just introduce the concept of data literacy once. Introduce it repeatedly.
No, “introduce repeatedly” is not an oxymoron. Since learning how to speak (and think) data is a major change, a single introduction probably won’t stick. They may forget at first, and that’s natural.
Case in point: As a one-time substitute teacher, I got several classes to make a major change by introducing that change gradually.
The English teacher I subbed for allowed cell phone use in her classes. Predictably, the students were learning next to nothing, though their Candy Crush scores were amazing, and they Snapchatted all their paper cuts. About a month into the gig, I decided to ban cell phones.
The change only worked because I introduced it gradually—I announced I would start the policy on a set date, explained why I was doing it, and reminded students to leave phones in their lockers.
If students brought their phones with them, they could put it in a plastic box at the front of the room when class started. If their phone rang while in the box, I’d leave it alone. If it rang while on them, I’d answer it in a loud and public fashion, and they’d go to the principal’s office.
Though the notion of spending even 45 minutes without their phones was horrifying for most of them, the policy worked well because I gradually introduced the concept of class without phones.
How to put this into practice:
There are multiple ways to introduce data literacy to your employees over a period of time.
At Capterra, our employees volunteer to lead “lunch and learn” sessions: brief, hourlong intros to topics that interest them. You could encourage data-savvy employees at your company to do the same.
You could also spend time at all-company or department meetings translating basic activities, or concepts, into data. Anything that breaks the data-ice is a good idea.
2. Employees need to speak data
Once employees know what data literacy is, they need to learn to “speak” data.
Gartner analyst Valerie Logan suggests you approach learning to speak data the same way you would any foreign language and even refers to the process as ISL or information as a second language. (Full Gartner research is available to clients.)
How to put this into practice:
Figure out which employees already speak data, and also who can translate data into plain English. These “data translators” can help employees who struggle to speak data.
Figure out what the language barriers are to speaking data: If business and IT folks don’t speak the same language, that’s a language barrier (or “interpretation gap,” as it’s also called).
There are multiple ways to break language barriers:
- Keep a glossary of common terms.
- Make sure C-level executives speak data so they can set an example.
- Make sure your business goals are expressed in actionable language.
3. Employees need to speak data to each other
Practice makes perfect, so speak data regularly until it becomes a habit.
As Gartner analysts Alan Duncan and Lydia Clougherty Jones suggest, the best data-driven companies focus consciously on this goal. They don’t just speak data, they interact in terms of data. They use data as a way to build inter-team trust, presenting evidence and keeping an eye open for problems such as confirmation bias. (Full Gartner research is available to clients.)
At the same time, you’re learning terms such as “confirmation bias” and “cognitive filtering,” you can think about examples of this in your own work, and be on guard against these bad habits.
How to put this into practice:
Follow the example of foreign language conversation clubs. In the same way those clubs meet once a week to practice German or Amharic, get a group together for weekly or monthly coffee meet-ups where you talk data: what data you’re working with, how it interacts with other departments’ data, and what data you wish you had.
For instance, how does your website’s load time impact visitors and conversions? If sales and tech aren’t discussing how those data sets interact, you could be missing out on a possibly lucrative correlation. (Hint: shorter load time almost always means more visitors and conversions).
Discussion groups like this also help with another important goal: becoming data-driven. This is where business intelligence as a way of thinking comes into play. As you’re learning to speak data, treat it as an opportunity to learn how to think differently.
4. Employees need to speak data frequently
Ideally, brown bags and discussion groups will be your first step on the way to data literacy immersion.
Immersion’s the best way to learn to speak a foreign language, and speaking data is no different.
How to put this into practice:
Gartner analyst Valerie Logan recommends you speak data in everyday conversations, “from board meetings to team meetings.” If speaking data becomes a regular behavior, it’s more likely to stick. And when it sticks, you’ll be on your way to being data-driven.
As Gartner analyst Alan Duncan notes, becoming data-driven has more to do with behavior than technical know-how. That’s why HR should also be involved in your attempts to become data literate.
Duncan recommends having the HR department be a core stakeholder in business intelligence change management. Primarily, they can “adjust hiring practices to emphasize analytic literacy.” (Full Gartner research available to clients.)
Employers have learned (the hard way) that one of the biggest security threats in the organization is their own staff.
A report published by Ipswitch looks at data breach causes to find out how rogue employees rank. An interesting find is that up to 75% of data breaches result from insider threats, while a separate report by Veriato suggests that 90% of cybersecurity experts feel that their company is vulnerable to insider attacks. In fact, about 50% of the 472 professionals surveyed said they had suffered these attacks in the previous 12 months.
Deliberate or not, these threats are very real and as heavily as companies might invest in data security software, they are always going to be vulnerable because they continually ignore a large component of realizing fewer cybersecurity threats.
Since employees (insiders) have access to company information, they are technically a bigger danger to data security than the third party cyber-criminals who use all manner of innovative ways to gain access to personal data.
A curious business owner wants to know: Why must I involve employees in implementing data security when they have been shown to be a weak point in the same strategy?
1. Social engineering transcends security tools
Human error is often the weakest link in an otherwise ideal chain. From technology to literature, social engineering is the big boss you have to beat after meeting all the other mini-bosses.
By definition, social engineering involves the use of psychological tricks to manipulate people into revealing sensitive information about themselves. For an organization, once the hacker has your employee at this point, they can gain access to all the areas the employee can typically access. Through social engineering security awareness you can help your employees avoid the three commonest security scams thereby protecting your company as well: identity theft; vishing; and baiting.
Without adequate education on social engineering and covering that loophole, security tools are almost useless.
2. It’s part of their responsibility
Apart from preventing the catastrophic aftermath of social engineering, data security is the responsibility of every employee in the organization in this sense: if consumers expect organizations to protect their data, isn’t it the responsibility of employees to make sure the data doesn’t land in the wrong hands?
Dropbox’s 2012 incident, during which hackers reportedly stole data belonging to over 60 million of Dropbox’s clients at the time, was attributed to employee negligence.
As reported, the hackers who used the password of the employee were able to access the company portal by reusing a password from the LinkedIn breach of the same year that exposed the emails and passwords of 117 million LinkedIn users.
Such an example shows that as a company, you can still unwillingly betray your customers. While Dropbox wasn’t entirely to blame, one of their employees reusing passwords was a great insight into the company’s internal security standards and more importantly, a good example for all employees on password don’ts.
3. It is now a common regulatory requirement
Through internet security awareness training, organizations are required to equip their staff with knowledge about data security. Some of the laws, regulations and industry codes include HIPAA, FTC Red Flags Rule and PCI DSS among others. While many SMEs don’t do any training to remain compliant, many conduct the training to avoid cyber-attacks.
These tips will help you implement a great training program:
- Diversify your training methods. Have a mix of training techniques at your disposal including classrooms, videos, team discussions, newsletters, posters, etc.
- Educate often. Conduct regular training in monthly, quarterly, or annual cycles.
- There’s no one size that fits all. Different members at different levels will start learning at equally different points.
- Don’t ignore industry regulations.
Don’t be like the owner who delegates the role of data security to themselves because it’s “too important.” If you really want to be stress-free, train your employees well and promote a culture of information security.
Author: Joseph Chukwube